不好意思,我说得不准确,刚才看看MSDN,PE文件的数字签名是放到了PE文件的最后。
MS-DOS header
Offset of PE header (offset 0x3c)
PE header
Section headers
Section
Debug information and certificates (if any)
当PE文件被签名的时候,证书数据会被放到文件的末尾并且PE文件头也会被适当的修改。
即在PE头的最后一个部分中会写入一个结构保存证书的一些信息。
MSDN原文如下:
The PE header begins with a 4-byte sequence, "PE\0\0", that identifies the MS-DOS® header. The MS-DOS header is followed by a standard Common Object File Format (COFF) header. This COFF header is followed by an optional header that is always present on Windows .exe and .dll files. The last field in a PE header is an optional data directory table.
Each entry in the data directory table consists of an IMAGE_DATA_DIRECTORY structure. The fifth structure in the data directory table contains certificate table information.